From eec761e76c8c6d13029867907873c5b4ede6dd11 Mon Sep 17 00:00:00 2001 From: Elio Bischof Date: Mon, 11 Nov 2024 12:27:16 +0100 Subject: [PATCH] feat: WithPort, WithInsecureSkipVerifyTLS --- pkg/client/client.go | 2 +- pkg/client/credentials.go | 15 ++++++++++++--- pkg/zitadel/zitadel.go | 27 +++++++++++++++++++++------ 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/pkg/client/client.go b/pkg/client/client.go index 682df82..5143459 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -96,7 +96,7 @@ func newConnection( tokenSource oauth2.TokenSource, opts ...grpc.DialOption, ) (*grpc.ClientConn, error) { - transportCreds, err := transportCredentials(zitadel.Domain(), zitadel.IsTLS()) + transportCreds, err := transportCredentials(zitadel.Domain(), zitadel.IsTLS(), zitadel.IsInsecureSkipVerifyTLS()) if err != nil { return nil, err } diff --git a/pkg/client/credentials.go b/pkg/client/credentials.go index 50355ea..eb1ee01 100644 --- a/pkg/client/credentials.go +++ b/pkg/client/credentials.go @@ -2,6 +2,7 @@ package client import ( "context" + "crypto/tls" "crypto/x509" "golang.org/x/oauth2" @@ -55,10 +56,17 @@ func requestMetadataFromToken(token *oauth2.Token) map[string]string { } } -func transportCredentials(domain string, tls bool) (credentials.TransportCredentials, error) { - if !tls { +func transportCredentials(domain string, withTLS bool, insecureSkipVerifyTLS bool) (credentials.TransportCredentials, error) { + if !withTLS { return insecure.NewCredentials(), nil } + tlsConfig := &tls.Config{ + ServerName: domain, + InsecureSkipVerify: insecureSkipVerifyTLS, + } + if insecureSkipVerifyTLS { + return credentials.NewTLS(tlsConfig), nil + } ca, err := x509.SystemCertPool() if err != nil { return nil, err @@ -66,5 +74,6 @@ func transportCredentials(domain string, tls bool) (credentials.TransportCredent if ca == nil { ca = x509.NewCertPool() } - return credentials.NewClientTLSFromCert(ca, domain), nil + tlsConfig.RootCAs = ca + return credentials.NewTLS(tlsConfig), nil } diff --git a/pkg/zitadel/zitadel.go b/pkg/zitadel/zitadel.go index b6e1ea3..312e337 100644 --- a/pkg/zitadel/zitadel.go +++ b/pkg/zitadel/zitadel.go @@ -9,16 +9,18 @@ import ( // This includes authentication, authorization as well as explicit API interaction // and is dependent of the provided information and initialization of such. type Zitadel struct { - domain string - port string - tls bool + domain string + port string + tls bool + insecureSkipVerifyTLS bool } func New(domain string, options ...Option) *Zitadel { zitadel := &Zitadel{ - domain: domain, - port: "443", - tls: true, + domain: domain, + port: "443", + tls: true, + insecureSkipVerifyTLS: false, } for _, option := range options { option(zitadel) @@ -30,6 +32,7 @@ func New(domain string, options ...Option) *Zitadel { type Option func(*Zitadel) // WithInsecure allows to connect to a ZITADEL instance running without TLS +// Do not use in production func WithInsecure(port string) Option { return func(z *Zitadel) { z.port = port @@ -37,6 +40,14 @@ func WithInsecure(port string) Option { } } +// WithInsecureSkipVerifyTLS allows to connect to a ZITADEL instance running with TLS but has an untrusted certificate +// Do not use in production +func WithInsecureSkipVerifyTLS() Option { + return func(z *Zitadel) { + z.insecureSkipVerifyTLS = true + } +} + // WithPort allows to connect to a ZITADEL instance running on a different port func WithPort(port uint16) Option { return func(z *Zitadel) { @@ -61,6 +72,10 @@ func (z *Zitadel) IsTLS() bool { return z.tls } +func (z *Zitadel) IsInsecureSkipVerifyTLS() bool { + return z.insecureSkipVerifyTLS +} + func (z *Zitadel) Domain() string { return z.domain }